CVE-2025-71260

HighPublic PoCRCEUpdated

Published: 19 March 2026

Published

19 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3264 96.9th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71260 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of vendor-specific hotfixes directly eliminates the deserialization vulnerability in VIEWSTATE handling.

SI-10 Information Input Validation good match

prevent

Information input validation ensures proper checking of the VIEWSTATE parameter to block deserialization of crafted malicious serialized objects.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms such as DEP and ASLR mitigate the impact of arbitrary code execution resulting from successful deserialization.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Deserialization vulnerability in ASP.NET VIEWSTATE of network-accessible BMC FootPrints ITSM enables authenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve…

remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Deeper analysisAI

CVE-2025-71260 is a deserialization of untrusted data vulnerability (CWE-502) affecting BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001. The issue resides in the ASP.NET servlet's VIEWSTATE handling, where the application fails to properly validate serialized objects, enabling authenticated attackers to supply crafted payloads via the VIEWSTATE parameter. This flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution and complete application compromise.

Authenticated attackers with low-privilege access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without user interaction (UI:N). By injecting malicious serialized objects into the VIEWSTATE parameter, they achieve arbitrary code execution on the server, granting full control over the BMC FootPrints ITSM application and potentially the underlying host system.

BMC advisories detail remediation through specific hotfixes: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01. Security practitioners should verify affected versions and apply these patches promptly, as outlined in the vendor release notes and third-party analyses from Watchtower Labs and VulnCheck.